diff options
| author |   Hank Leininger <hlein@korelogic.com> | 2022-06-09 16:01:22 -0600 |
|---|---|---|
| committer |   Joonas Niilola <juippis@gentoo.org> | 2022-06-15 08:47:49 +0300 |
| commit | cc196a524bd19f0f9e5960c0fb4744347f0fd3af (patch) | |
| tree | 771ab38181b6452e9bc5c0629e5a67d739f216a9 /sys-apps/firejail | |
| parent | dev-ruby/minitest: add 5.16.0 (diff) | |
| download | gentoo-cc196a524bd19f0f9e5960c0fb4744347f0fd3af.tar.gz gentoo-cc196a524bd19f0f9e5960c0fb4744347f0fd3af.tar.bz2 gentoo-cc196a524bd19f0f9e5960c0fb4744347f0fd3af.zip | |
sys-apps/firejail: bump to 0.9.70 for security fixes; cleanup
Fix for CVE-2022-31214. Drop old version & un-tended-to live ebuild.
Signed-off-by: Hank Leininger <hlein@korelogic.com>
Bug: https://bugs.gentoo.org/850748
Package-Manager: Portage-3.0.30, Repoman-3.0.3
Closes: https://github.com/gentoo/gentoo/pull/25840
Signed-off-by: Joonas Niilola <juippis@gentoo.org>
Diffstat (limited to 'sys-apps/firejail')
| -rw-r--r-- | sys-apps/firejail/Manifest | 1 | ||||
| -rw-r--r-- | sys-apps/firejail/files/firejail-0.9.70-envlimits.patch | 12 | ||||
| -rw-r--r-- | sys-apps/firejail/files/firejail-0.9.70-firecfg.config.patch | 82 | ||||
| -rw-r--r-- | sys-apps/firejail/firejail-0.9.70.ebuild (renamed from sys-apps/firejail/firejail-0.9.68.ebuild) | 6 | ||||
| -rw-r--r-- | sys-apps/firejail/firejail-9999.ebuild | 99 | ||||
| -rw-r--r-- | sys-apps/firejail/metadata.xml | 1 |
6 files changed, 98 insertions, 103 deletions
diff --git a/sys-apps/firejail/Manifest b/sys-apps/firejail/Manifest index ae81ea9d7be4..93c7782e051e 100644 --- a/sys-apps/firejail/Manifest +++ b/sys-apps/firejail/Manifest @@ -1 +1,2 @@ DIST firejail-0.9.68.tar.xz 477332 BLAKE2B 4d995715caa81b69bb9a16f604a2463b2db48fad5ba869bb5f353973ce8ec273dbabe07ee340b40094d6fe15bcef7e356cd07e7e7dfd0491d2d1632f64878a0e SHA512 8c03c145bb91fe696407052968bd1069defc44d274bd74d33fccebb28324121d259973fccc1d1cdc38fb2902bb842e921adc9440596a92a4aa13c4e06963e354 +DIST firejail-0.9.70.tar.xz 485096 BLAKE2B d5164ba5ee08e80415a84999e4152f1f9c897f50def669731098126cec117aed3cf4b21603aeb13ccbdb1bffa9d48de69dcb19fe7135691e891b9b83f48a5ca1 SHA512 a790ccb711da6c3e52677011d7eb38c482ffb5066498d4586018671ab4ee533e02edb31fda872e0647fd27c00014b04305eafcb56f1f1b07f470aa4fb701cbe5 diff --git a/sys-apps/firejail/files/firejail-0.9.70-envlimits.patch b/sys-apps/firejail/files/firejail-0.9.70-envlimits.patch new file mode 100644 index 000000000000..d99db424c052 --- /dev/null +++ b/sys-apps/firejail/files/firejail-0.9.70-envlimits.patch @@ -0,0 +1,12 @@ +diff -urP firejail-0.9.70.orig/src/firejail/firejail.h firejail-0.9.70/src/firejail/firejail.h +--- firejail-0.9.70.orig/src/firejail/firejail.h 2022-06-08 07:42:50.000000000 -0600 ++++ firejail-0.9.70/src/firejail/firejail.h 2022-06-09 13:06:04.094034022 -0600 +@@ -706,7 +706,7 @@ + int check_kernel_procs(void); + void run_no_sandbox(int argc, char **argv) __attribute__((noreturn)); + +-#define MAX_ENVS 256 // some sane maximum number of environment variables ++#define MAX_ENVS 2048 // some sane maximum number of environment variables + #define MAX_ENV_LEN (PATH_MAX + 32) // FOOBAR=SOME_PATH, only applied to Firejail's own sandboxed apps + // env.c + typedef enum { diff --git a/sys-apps/firejail/files/firejail-0.9.70-firecfg.config.patch b/sys-apps/firejail/files/firejail-0.9.70-firecfg.config.patch new file mode 100644 index 000000000000..ff751b9dc684 --- /dev/null +++ b/sys-apps/firejail/files/firejail-0.9.70-firecfg.config.patch @@ -0,0 +1,82 @@ +diff -urP firejail-0.9.70.orig/src/firecfg/firecfg.config firejail-0.9.70/src/firecfg/firecfg.config +--- firejail-0.9.70.orig/src/firecfg/firecfg.config 2022-06-08 07:42:50.000000000 -0600 ++++ firejail-0.9.70/src/firecfg/firecfg.config 2022-06-09 13:06:38.646038407 -0600 +@@ -213,7 +213,8 @@ + electron-mail + electrum + element-desktop +-elinks ++# Breaks emerge/portage on Gentoo: 'too many environment variables' ++#elinks + empathy + enchant + enchant-2 +@@ -259,7 +260,8 @@ + flameshot + flashpeak-slimjet + flowblade +-fontforge ++# Breaks emerge/portage on Gentoo ++#fontforge + font-manager + fossamail + four-in-a-row +@@ -490,11 +492,16 @@ + luminance-hdr + lximage-qt + lxmusic +-lynx ++# Breaks emerge/portage on Gentoo: 'too many environment variables' ++#lynx + lyx + macrofusion + magicor +-man ++# Breaks: $ man chromium-browser ++# WARNING: terminal is not fully functional ++# Press RETURN to continue ++# Manual page chromium-browser(1) byte 0/0 (END) (press h for help or q to quit) ++#man + manaplus + marker + masterpdfeditor +@@ -571,7 +578,8 @@ + musictube + musixmatch + mutool +-mutt ++# Breaks when configs are under ~/.mutt/ ++#mutt + mypaint + mypaint-ora-thumbnailer + natron +@@ -635,7 +643,8 @@ + palemoon + #pandoc + parole +-patch ++# Breaks emerge/portage on Gentoo: 'too many environment variables', path issues ++#patch + pavucontrol + pavucontrol-qt + pcsxr +@@ -761,7 +770,8 @@ + stellarium + strawberry + straw-viewer +-strings ++# Breaks emerge/portage on Gentoo ++#strings + studio.sh + subdownloader + supertux2 +@@ -880,7 +890,8 @@ + weechat + weechat-curses + wesnoth +-wget ++# Breaks emerge/portage on Gentoo: 'too many environment variables', path issues ++#wget + wget2 + whalebird + whois diff --git a/sys-apps/firejail/firejail-0.9.68.ebuild b/sys-apps/firejail/firejail-0.9.70.ebuild index 50077c0d2db7..5c5a610f1024 100644 --- a/sys-apps/firejail/firejail-0.9.68.ebuild +++ b/sys-apps/firejail/firejail-0.9.70.ebuild @@ -9,7 +9,7 @@ inherit toolchain-funcs python-single-r1 linux-info if [[ ${PV} != 9999 ]]; then SRC_URI="https://github.com/netblue30/${PN}/releases/download/${PV}/${P}.tar.xz" - KEYWORDS="amd64 ~arm ~arm64 ~x86" + KEYWORDS="~amd64 ~arm ~arm64 ~x86" else inherit git-r3 EGIT_REPO_URI="https://github.com/netblue30/firejail.git" @@ -21,7 +21,7 @@ HOMEPAGE="https://firejail.wordpress.com/" LICENSE="GPL-2" SLOT="0" -IUSE="apparmor +chroot contrib +dbusproxy +file-transfer +globalcfg +network +private-home test +userns +whitelist X" +IUSE="apparmor +chroot contrib +dbusproxy +file-transfer +globalcfg +network +private-home test +userns X" # Needs a lot of work to function within sandbox/portage # bug #769731 RESTRICT="test" @@ -39,6 +39,7 @@ REQUIRED_USE="contrib? ( ${PYTHON_REQUIRED_USE} )" PATCHES=( "${FILESDIR}/${P}-envlimits.patch" + "${FILESDIR}/${P}-firecfg.config.patch" ) pkg_setup() { @@ -81,7 +82,6 @@ src_configure() { $(use_enable network) \ $(use_enable private-home) \ $(use_enable userns) \ - $(use_enable whitelist) \ $(use_enable X x11) cat > 99firejail <<-EOF || die diff --git a/sys-apps/firejail/firejail-9999.ebuild b/sys-apps/firejail/firejail-9999.ebuild deleted file mode 100644 index 440d20af51ec..000000000000 --- a/sys-apps/firejail/firejail-9999.ebuild +++ /dev/null @@ -1,99 +0,0 @@ -# Copyright 1999-2022 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -PYTHON_COMPAT=( python3_{8..10} ) - -inherit toolchain-funcs python-single-r1 linux-info - -if [[ ${PV} != 9999 ]]; then - SRC_URI="https://github.com/netblue30/${PN}/releases/download/${PV}/${P}.tar.xz" - KEYWORDS="~amd64 ~arm ~arm64 ~x86" -else - inherit git-r3 - EGIT_REPO_URI="https://github.com/netblue30/firejail.git" - EGIT_BRANCH="master" -fi - -DESCRIPTION="Security sandbox for any type of processes" -HOMEPAGE="https://firejail.wordpress.com/" - -LICENSE="GPL-2" -SLOT="0" -IUSE="apparmor +chroot contrib +dbusproxy +file-transfer +globalcfg +network +private-home test +userns +whitelist X" -# Needs a lot of work to function within sandbox/portage -# bug #769731 -RESTRICT="test" - -RDEPEND="!sys-apps/firejail-lts - apparmor? ( sys-libs/libapparmor ) - contrib? ( ${PYTHON_DEPS} ) - dbusproxy? ( sys-apps/xdg-dbus-proxy )" - -DEPEND="${RDEPEND} - sys-libs/libseccomp - test? ( dev-tcltk/expect )" - -REQUIRED_USE="contrib? ( ${PYTHON_REQUIRED_USE} )" - -pkg_setup() { - CONFIG_CHECK="~SQUASHFS" - local ERROR_SQUASHFS="CONFIG_SQUASHFS: required for firejail --appimage mode" - check_extra_config - use contrib && python-single-r1_pkg_setup -} - -src_prepare() { - default - - find -type f -name Makefile.in -exec sed -i -r -e '/CFLAGS/s: (-O2|-ggdb) : :g' {} + || die - - sed -i -r -e '/CFLAGS/s: (-O2|-ggdb) : :g' ./src/common.mk.in || die - - # fix up hardcoded paths to templates and docs - local files=$(grep -E -l -r '/usr/share/doc/firejail([^-]|$)' ./RELNOTES ./src/man/ ./etc/profile*/ ./test/ || die) - for file in ${files[@]} ; do - sed -i -r -e "s:/usr/share/doc/firejail([^-]|\$):/usr/share/doc/${PF}\1:" "${file}" || die - done - - # remove compression of man pages - sed -i -r -e '/rm -f \$\$man.gz; \\/d; /gzip -9n \$\$man; \\/d; s|\*\.([[:digit:]])\) install -m 0644 \$\$man\.gz|\*\.\1\) install -m 0644 \$\$man|g' Makefile.in || die - - if use contrib; then - python_fix_shebang -f contrib/*.py - fi -} - -src_configure() { - econf \ - --disable-firetunnel \ - --enable-suid \ - $(use_enable apparmor) \ - $(use_enable chroot) \ - $(use_enable dbusproxy) \ - $(use_enable file-transfer) \ - $(use_enable globalcfg) \ - $(use_enable network) \ - $(use_enable private-home) \ - $(use_enable userns) \ - $(use_enable whitelist) \ - $(use_enable X x11) -} - -src_compile() { - emake CC="$(tc-getCC)" -} - -src_install() { - default - - rm "${ED}"/usr/share/doc/${PF}/COPYING || die - - if use contrib; then - python_scriptinto /usr/$(get_libdir)/firejail - python_doscript contrib/*.py - insinto /usr/$(get_libdir)/firejail - dobin contrib/*.sh - fi -} diff --git a/sys-apps/firejail/metadata.xml b/sys-apps/firejail/metadata.xml index ea3a52f878b9..91bf2e4aa95b 100644 --- a/sys-apps/firejail/metadata.xml +++ b/sys-apps/firejail/metadata.xml @@ -31,7 +31,6 @@ <flag name="network">Enable networking features</flag> <flag name="private-home">Enable private home feature</flag> <flag name="userns">Enable attaching a new user namespace to a sandbox (--noroot option)</flag> - <flag name="whitelist">Enable whitelist</flag> <flag name="X">Enable X11 sandboxing</flag> </use> </pkgmetadata> |